Elastic Releases Critical Security Updates for Kibana & Elasticsearch
Security Advisory:
Elastic has released security updates for Kibana and Elasticsearch.
Addressed 5 vulnerabilities, including 3 high-severity Cross-Site Scripting (XSS) issues
This also include one sensitive data exposure flaw, and one credential leakage issue
| OEM | Elastic |
| Severity | High |
| CVSS Score | 8.7 |
| CVEs | CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The most severe, CVE-2025-25009 (CVSS 8.7), affects Kibana’s case file upload functionality, potentially allowing attackers to execute arbitrary scripts. These vulnerabilities could allow data theft, session hijacking or privilege escalation in affected environments. Users & Administrators strongly advise to update to the patched versions immediately to mitigate risks.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Stored XSS Vulnerability via Case File Upload Vulnerability | CVE-2025-25009 | Kibana | High | v8.18.8, v8.19.5, v9.0.8, v9.1.5 |
| Kibana Cross Site Scripting (XSS) Vulnerability | CVE-2025-25017 | Kibana | High | |
| Kibana Stored Cross Site Scripting (XSS) Vulnerability | CVE-2025-25018 | Kibana | High |
Technical Summary
Elastic’s latest security patches fix several vulnerabilities in Kibana and Elasticsearch. These vulnerabilities could let attackers inject malicious code or gain access to sensitive information.
This could result in stolen data, taken-over user sessions, or even gaining higher access levels in the system. Although no active exploits have been reported, users are strongly advised to update immediately for protection to ensure optimal security and stability .
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-25009 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) | Stored XSS via malicious file uploads in case management, allowing JavaScript injection | Data Theft, Session Hijacking, Privilege Escalation |
| CVE-2025-25017 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.3, 9.0.x ≤ 9.0.6, 9.1.x ≤ 9.1.3) | XSS in Vega visualization engine due to improper neutralization of inputs, enabling script execution | Malicious Script Execution |
| CVE-2025-25018 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) | Stored XSS in Kibana due to improper validation of specified type of input. | Session Compromise, Unauthorized Access |
Other Vulnerabilities
In addition to the three high-severity flaws, Elastic patched 2 other vulnerabilities in the same Security Announcements release.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Sensitive Data Exposure in Audit Logging | CVE-2025- 37727 | Elasticsearch | Medium | v8.18.8, v8.19.5, v9.0.8, v9.1.5 |
| Credential Leakage in CrowdStrike Connector | CVE-2025- 37728 | Kibana (CrowdStrike Connector) | Medium | v8.18.8 and higher |
Recommendations:
Update Kibana and Elasticsearch immediately to the following versions
- Kibana/Elasticsearch: v8.18.8, v8.19.5, v9.0.8, v9.1.5 or the latest version.
If unable to update immediately you can follow some workarounds below
- For the CVE-2025-25009, For versions >= 7.12 to < 9.0 users can set “discover:searchFieldsFromSource: true” in Advanced Settings and there are no workarounds for 9.0+.
- For the CVE-2025-25017, users can disable Vega visualizations but note that this will disable all Vega charts in Kibana.
- For the CVE-2025-37727, users can set “xpack.security.audit.logfile.events.emit_request_body” to “false”.
Conclusion:
The Elastic security update addresses severe vulnerabilities in Kibana and Elasticsearch, including high-severity XSS issues that could enable attackers to compromise dashboards, steal data, or escalate privileges.
Although no exploitation has been reported but these vulnerabilities need immediate patching. Immediate action is essential to maintain system integrity and protect sensitive data in monitoring and logging environments.
References: